<div dir="ltr"><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 12, 2014 at 7:44 AM, Rene Bartsch <span dir="ltr"><<a href="mailto:ml@bartschnet.de" target="_blank">ml@bartschnet.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Am 2014-09-12 10:17, schrieb Jeroen van der Ham:<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Ah you mean you want to use DNSmasq to do the automatic translation<br>
from DHCP leases to DNS, and then automatically sign them. I would<br>
still advise you to use a secondary nameserver, unless you’re not<br>
running any mission-critical systems (in which case I think this is<br>
somewhat over the top)<br>
</blockquote>
<br></span>
You need secondary nameservers, of course. Secondary nameservers are cheap or even for free. When I studied I was in a group of students each running a root server as primary nameserver for his domain(s) and we shared the root servers as secondary nameservers with each other.</blockquote><div><br></div><div class="gmail_default" style="font-size:small">Several years ago, before Paul Vixie left ISC, we had a discussion about whether ISC could act as secondary name servers at scale (at a minimum for the U.S., for everyone's personal domains). Paul thought that they could without it being a serious load for them (ISC runs one of the root name servers).</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I've also had a similar set of discussions with the person who used to be in charge of Comcast's excellent DNS infrastructure, and he was interested, to the point of prototyping automating the delegation of the zone provided by the ISP (certainly Comcast allocates a name for each and every customer, it turns out) and doing the handshake for signing keys. He has since left Comcast, so we'd have to start over, but from my previous interactions with the technical folk at Comcast, I'm optimistic.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">If/when I can track down the right Googler who runs their DNS infrastructure, I'd like to have a similar conversation with them as I have had with Paul and Comcast in the past.</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
What I have trouble with though is that DNSSEC is not yet at a stage<br>
where it is easy to use. It certainly is still not easy to<br>
troubleshoot and pinpoint problems. This goes beyond having an easy<br>
interface to the DNS system itself, or automatic signing of records.<br>
</blockquote>
<br></span>
I'm running my three private domains with hosted DNSSEC without any problem. The only drawback is my registrar does not provide DynDNS and lacks some resource records - and Google Public DNS has a wildcard-resolution bug. The main problem is registrars usually lack important features for consumers, may mit be DNSSEC, DynDNS for dynamic IPs, IPv6 glue-records, some resource records or a usable interface for consumers.<br>
<br>
My dream is a consumer router at which the consumer just enters his public domain name(s) and the hostnames/IP addresses of Dnsmasq instances he wants to be secondary nameservers (and provide secondary nameserver service for). The router would just display the secondary nameserver hostnames/Glue-Records and the Zone-Signing-Key or DS-Key to be sent to the registry via the registrar. As the Key-Signing-Keys are kept on the router you just have to check if the registry publishes the correct ZSK/DS-record to be sure your zone has not been tampered with. The router can even scan the hosts in the LAN for services (e.g. TLS) and add records automagically (e.g. TLSA-RRs for DANE). In expert mode additional records could be added manually.</blockquote><div><br></div><div class="gmail_default" style="font-size:small">The above conversations I had with Paul Vixie and Comcast bothmake me optimistic something can get worked out eventually, and that this is not merely a pipe-dream. </div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">People with technical smarts understand that typing addresses</div><div class="gmail_default">2601:6:6800:724:466:4d34:949:1003 by hand really sucks and that fixing naming as presumed by IPv6 design needs to happen. User friendly, it isn't, much less aged parent friendly. And everyone has parents/grandparents they are sysadmin for making this pretty clear in a first hand way. .local addresses you can't use with others just don't hack it, and renumbering, which often happens, makes doing things manually a PITA.</div><div class="gmail_default"><br></div><div class="gmail_default">Note also this scales well, as to where the signing occurs. And it means that the keys don't have to leave the customer's control.</div><div class="gmail_default"><br></div><div class="gmail_default">Now we just have to make the dream a reality. I think we can find people in the DNS core to work with to test it out.<br></div><div class="gmail_default"><br></div><div class="gmail_default"> - Jim</div><div class="gmail_default"><br></div><div class="gmail_default" style="font-size:small"><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class=""><font color="#888888"><br>
<br>
<br>
-- <br>
Best regards,<br>
<br>
Renne</font></span><div class=""><div class="h5"><br>
<br>
______________________________<u></u>_________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.<u></u>thekelleys.org.uk</a><br>
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" target="_blank">http://lists.thekelleys.org.<u></u>uk/mailman/listinfo/dnsmasq-<u></u>discuss</a><br>
</div></div></blockquote></div><br></div></div>